My general rule is to do everything as early as possible. This might even include checking as early as Application.BeginRequest (which occurs may events before the page is even loaded), so long as query string verification is not page-dependent.

The question here is “What do you consider to be tampering?” Invalid keys? Invalid values? Attempts to encode tags that might hopefully be written to the resulting page as part of an XSS attack?

It’s hard to give any sort of specific advice without knowing more about what you’re trying to accomplish.

EDIT: To access the application events, add a Global Application Class to your project from the ‘Add New Item’ option.

Every request triggers the application lifecycle, and the page lifecycle is just a sub-process within that when the request handler happens to be an aspx file.

EDIT2: Cleaning query string data depends entirely on what you are using the data for. Some potentially dangerous uses for query string data include:

• Values for an SQL command: SQL injection can be largely mitigated by using ‘parameterised queries’.
• File locations: This could be used to make the server cough up any file on the hard drive if NTFS permissions on the server are lax.
• Values written into the HTML response: A user could encode a tag and execute some JavaScript. Be sure to use Server.Encode() or manually cleanse the string.

• ID values: If you are using the query string to store ID values, a user could replace those with others in at attempt to access information about things they shouldn’t see, an example of which may be:

  http://domain.com/somepage.aspx?userid=1343243

The user makes an educated guess and changes this to:

http://domain.com/somepage.aspx?userid=0

And that could bring up the admin user.